Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
AD Troubleshooting
This is typically related to the CRL's of the issuing CA or Root CA having expired in their current CDP location.
To resolve it check that all CA's are able to publish base CRL's and Delta CRL's to the locations defined on the OCSP Responders cert for that configuration.
Another scenario is if a CA in the chain has had its certificate renewed with a new keypair and the CDP is hardcoded to a specific name rather than the variables used by the CA. In that case the new CRL will be signed by a different keypair than the CRL that is associated with the OCSP responder cert. To resolve it the quickest method is typically to enroll for a new OCSP responder cert from the CA as that will use the new keys for the CRL.
Further details